[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

US9560039B2 - Controlled discovery of SAN-attached SCSI devices and access control via login authentication - Google Patents

Controlled discovery of SAN-attached SCSI devices and access control via login authentication Download PDF

Info

Publication number
US9560039B2
US9560039B2 US14/090,880 US201314090880A US9560039B2 US 9560039 B2 US9560039 B2 US 9560039B2 US 201314090880 A US201314090880 A US 201314090880A US 9560039 B2 US9560039 B2 US 9560039B2
Authority
US
United States
Prior art keywords
access
storage
client devices
target
determining
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US14/090,880
Other versions
US20140090043A1 (en
Inventor
Dean Kalman
Ken Sandars
Brett Dolecheck
Mike Reyero
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsemi Solutions US Inc
Original Assignee
Microsemi Storage Solutions US Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsemi Storage Solutions US Inc filed Critical Microsemi Storage Solutions US Inc
Priority to US14/090,880 priority Critical patent/US9560039B2/en
Assigned to PMC-SIERRA US, INC. reassignment PMC-SIERRA US, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: DOLECHECK, BRETT, KALMAN, DEAN
Publication of US20140090043A1 publication Critical patent/US20140090043A1/en
Assigned to MORGAN STANLEY SENIOR FUNDING, INC. reassignment MORGAN STANLEY SENIOR FUNDING, INC. PATENT SECURITY AGREEMENT Assignors: MICROSEMI STORAGE SOLUTIONS (U.S.), INC. (F/K/A PMC-SIERRA US, INC.), MICROSEMI STORAGE SOLUTIONS, INC. (F/K/A PMC-SIERRA, INC.)
Assigned to MICROSEMI STORAGE SOLUTIONS (U.S.), INC. reassignment MICROSEMI STORAGE SOLUTIONS (U.S.), INC. CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: PMC-SIERRA US, INC.
Application granted granted Critical
Publication of US9560039B2 publication Critical patent/US9560039B2/en
Assigned to MICROSEMI STORAGE SOLUTIONS, INC., MICROSEMI STORAGE SOLUTIONS (U.S.), INC. reassignment MICROSEMI STORAGE SOLUTIONS, INC. RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: MORGAN STANLEY SENIOR FUNDING, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • G06F21/805Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors using a security table for the storage sub-system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Definitions

  • Storage routers allow access to logical units via a mapping mechanism.
  • the client's identification is used to determine whether access to a particular logical unit may be granted.
  • This mapping scheme is implemented for each command from a particular client.
  • the mapping technique is required since a single target was provided to a client logging into the system. The target housed zero or more logical units that the client was allowed access to. As the login permitted access to the storage appliance but did not control access to the logical units, the mapping technique was implemented.
  • mapping techniques requires the storage appliance to have knowledge of the identity of all clients. As the number of logical units and clients increases, the mapping becomes more complex and less efficient, especially when applied on a per command basis.
  • various embodiments described in the present disclosure fill these needs by providing a method and apparatus for efficiently accessing data on a storage area network. It should be appreciated that the various embodiments can be implemented in numerous ways, including as a process, an apparatus, a system, or a device. The various embodiments are described below.
  • a method for accessing data in a storage area network begins with receiving a request for a list of targets on the storage area network. All the targets on the storage area network are exposed to the requestor and authentication requiring a password is requested from the requestor to grant access to the targets on the storage are network. Access to the targets is granted if the password is acceptable, and access to the targets is refused if the password is unacceptable.
  • FIG. 1 is a simplified schematic diagram illustrating iSCSI access control in accordance with one embodiment described in the present disclosure.
  • FIG. 2 is a simplified schematic diagram illustrating a storage device interfacing with a number of clients in accordance with one embodiment described in the to present disclosure.
  • FIG. 3 is a simplified schematic diagram illustrating further details of storage appliance in accordance with one embodiment described in the present disclosure.
  • FIG. 4 is a simplified schematic diagram illustrating the discovery domains within a storage appliance in accordance with one embodiment described in the present disclosure.
  • FIG. 5 is a simplified schematic diagram illustrating the method operations for a control discovery access in accordance with one embodiment described in the present disclosure.
  • Network interconnects enable access for a large number of computing devices to data storage on a remote network server.
  • the remote network server provides file systems structure, access control, and other miscellaneous capabilities that include the network interface.
  • Access to data of the storage area network is through network protocols that the server must translate into low level requests to the storage device.
  • a work station with access to the server must translate its file system protocols into network protocols that are used to communicate with the server. Consequently, from the perspective of a work station or other computing device, seeking to access such server data is much slower than access to data on a local storage device.
  • the embodiments described herein provide a more efficient technique for accessing data through network interconnections.
  • the embodiments described herein provide an access control mechanism invoked during the establishment of a relationship between a client and the storage appliance. Under the access control mechanism there are no further access controls or checks.
  • each logical unit of the storage appliance is exposed as an independent target.
  • the access control mechanism uses a shared secret for access to each logical unit and does not rely on knowledge of the client's identification. In essence, a client knowing the shared secret, will be granted access to a corresponding logical unit, irrespective of whether the client is known or unknown.
  • the storage appliance only needs to verify that the client knows the secret for the specific target or logical unit, there is no need for any knowledge of the client and the mapping table.
  • the need for access control to be tested on each command is eliminated.
  • the controlled discovery method also reduces the workload of the storage client during establishment and maintenance of connections to network devices, as each target discovered is intended for the client and there are no records that need to be filtered or otherwise discarded as irrelevant. This, in turn, reduces network traffic by limiting the amount of discovery information transferred from the broker of that information. Furthermore, the embodiments described herein place no additional burden on storage clients as discussed in more detail below.
  • FIG. 1 is a simplified schematic diagram illustrating iSCSI access control in accordance with one embodiment described in the present disclosure.
  • Storage appliance 104 is in communication with hosts 100 a and 100 b over a storage area network. Hosts 100 a and 100 b may also be referred to as work stations or clients. Within each host 100 a and 100 b corresponding iSCSI initiator software exists thereon. The iSCSI initiator code 102 a and 102 b of the corresponding iSCSI initiator software will request access to certain volumes of storage pool 106 .
  • host 1 - 100 a or host 2 - 100 b sees a certain disc the corresponding host believes that it owns the disc exclusively.
  • access controls are provided as discussed further herein.
  • storage pool 106 having volumes 106 a and 106 b , and access controls 110 a and 110 b , as well as targets 108 a and 108 b are provided.
  • volumes 106 a and 106 b are exposed as iSCSI targets 108 a and 108 b , respectively.
  • Access controls 110 a and 110 b inform a corresponding initiator what that initiator can access in order to prevent access to unauthorized data.
  • access controls 110 a and 110 b provide a list of iSCSI initiators that can access the targets and there is one access control for each target.
  • the list is a table of iSCSI qualified names (IQN), each of which is a globally unique identifier of the iSCSI initiator.
  • IQN iSCSI qualified names
  • FIG. 2 is a simplified schematic diagram illustrating a storage device interfacing with a number of clients in accordance with one embodiment described in the present disclosure.
  • Storage appliance 104 is an apparatus with network interfaces 120 a through to 120 c , data path 124 , and storage interfaces 122 a and 122 b .
  • Network interfaces 120 a through 120 c are in communication with hosts 100 a through 100 c .
  • Hosts 100 a through 100 c are provided access to storage devices, which may be virtual or physical, through the corresponding network interface, data path 124 and storage interface.
  • Storage interfaces 122 a and 122 b may connect appliance 104 to physical storage devices, e.g., discs or RAID array devices.
  • Data path 124 performs a number of functions including implementing layers of storage transport protocols, such as Ethernet, IP, TCP, iSCSI, FC layers 1-4, and ULP, target application layer protocols, such as those defined in SCSI application layer specifications, and translating storage requests to and from storage interfaces 122 a and 122 b.
  • layers of storage transport protocols such as Ethernet, IP, TCP, iSCSI, FC layers 1-4, and ULP
  • target application layer protocols such as those defined in SCSI application layer specifications
  • FIG. 3 is a simplified schematic diagram illustrating further details of storage appliance in accordance with one embodiment described in the present disclosure.
  • Storage appliance 104 includes targets 108 a through 108 b which would be exposed to an initiator of FIG. 1 . With each target 108 a through 108 d , a logical unit number (LUN) 130 a through 130 d is associated with each corresponding target.
  • LUN logical unit number
  • storage appliance 104 is configured to present independent logical devices to the storage network via the network interfaces. Each logical device or volume appears in the storage network as an independent device. In order to access the associated storage, the storage clients perform a log-in or establish a relationship with each independent device. In the embodiments described below, a methodology is provided for the storage clients to access storage devices.
  • the storage appliance is configured such that only targets which the host initiator should be accessing are presented during discovery actions requested by the host.
  • storage appliance 104 maintains sufficient information about a target's, i.e., logical devices, and the intended clients or hosts for each target. As described above, this may be accomplished through the access control lists referred to in FIG. 1 .
  • the information within the access control list is used to register discovery information with discovery information brokers which may exist on the storage appliance or other storage network entity, in one embodiment.
  • a Discovery Information Broker is an agent on the storage area network that presents discovered logical units to clients that have initiated a discovery request, in one embodiment. Changes to device configuration on the storage appliance will lead to an automatic update of registered information available by all discovery mechanisms. In this embodiment, the storage appliance is the agent of this update.
  • the iSCSI discovery session is available to any storage client which knows the address of and has a physical path to any of the network interfaces on the storage controller.
  • the discovery session requires the client to supply its identification.
  • the client also requests a list of names and addresses of all targets on the storage appliance through the corresponding initiator.
  • the iSCSI protocol specifies that the target is required to supply a list of all targets, all of which the initiator is authorized to access.
  • the storage appliance operates with no access controls based on the identity of the client, as all clients are effectively authorized to access all targets.
  • the intended client information is used to filter the list of targets returned to be only those that have been declared for use by the identified client.
  • FIG. 4 is a simplified schematic diagram illustrating the discovery domains within a storage appliance in accordance with one embodiment described in the present disclosure.
  • Storage appliance 104 includes discovery domains 150 a through 150 d .
  • a discovery domain is an object type defined and used to limit the information supplied to clients, which are referred to as initiator nodes.
  • discovery domains may be grouped together in a discovery domain set.
  • Storage appliance 104 registers a discovery domain set for the appliance and a discovery domain for each target.
  • a discovery domain 150 a through 150 d corresponds with a respective target node 1-4.
  • each discovery domain 150 a through 150 d registers an initiator node for each client it is intended to use.
  • initiator node 1 is allowed access to target node 1, target node 2, and target node 3.
  • Initiator node 2 is allowed access to target node 3 while initiator node 3 is allowed access to target node 3 and target node 4.
  • iSNS is a protocol designed to maintain and query a repository of target information for use by storage clients.
  • the storage appliance registers its target's names and addressing information with the iSNS server. Storage clients query this server to gain this information.
  • the iSNS server is configured to allow DD/DDS modification by target nodes.
  • the storage appliance can then register a DDS for the appliance, and a DD for each target.
  • the storage appliance also registers an initiator node for each client in the DD of each target the client is intended to use.
  • an access control mechanism that denies access to targets for which the client has not been configured to access.
  • the transport protocol used to access the targets must use connections which begin with a log-in procedure.
  • the log-in procedure supports an authentication scheme in one embodiment.
  • Each target on the storage appliance is configured to demand an authentication phrase.
  • CHAP protocol requires a user name, which may be a target IQN and a secret, i.e., password.
  • This storage appliance will only accept user name/secret pairs which are configured solely for the use of the target being logged into. In other words, the secret is uniquely indexed by each target-name/user name pair.
  • the user name may be set to the target. This reduces the information a client needs to retain as the target name in this secret. For example, if the target IQN 1995-12.com.adaptec:0fea3d.20070213133015.disc2 is being accessed, the CHAP secret associated with user name IQN.1995-12.com.adaptec:0fea3d.20070213133025.disc3 would not be accepted. If the host is unable to be authenticated, then the host is effectively denied access. In addition, once a client successfully logs in there are no further access checks needed for the duration of the connection. Thus, the access control mechanism presented herein is invoked during the establishment of a relationship between the client and the storage.
  • FIG. 5 is a simplified schematic diagram illustrating the method operations for control discovery access in accordance with one embodiment described in the present disclosure.
  • the method initiates with operation 200 where a host requests a list.
  • the host may request a list through an iSCSI initiator in one embodiment.
  • a storage pool is created for particular volumes on a storage device, as illustrated in FIG. 1 in on exemplary embodiment.
  • an initiator enables certain targets to be viewed.
  • the targets that are viewed are accessed through a login procedure that supports authentication as described above.
  • authentication of the requestor requires the requestor to provide a username and password to the storage device in order to gain access to the viewed targets.
  • the initiator accesses those targets through the successful authentication and password scheme described herein as specified in operation 208 .
  • the storage appliance verifies that the client knows the secret/password without knowledge of the client and the need for the mapping table is eliminated.
  • any of the operations described herein that form part of several embodiments are useful machine operations.
  • Some embodiments described in the present disclosure also relate to a device or an apparatus for performing these operations.
  • the apparatus may be specially constructed for the required purposes, or it may be a general purpose computer selectively activated or configured by a computer program stored in the computer.
  • various general purpose machines may be used with computer programs written in accordance with the teachings herein, or it may be more convenient to to construct a more specialized apparatus to perform the required operations.
  • the computer readable medium is any data storage device that can store data which can be thereafter be read by a computer system.
  • Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices.
  • the computer readable medium can also be distributed over a network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A method for accessing data in a storage area network is provided. The method initiates with receiving a request for a list of targets on the storage area network. All the targets on the storage area network are exposed to the requestor and authentication requiring a password is requested from the requestor to grant access to the targets on the storage are network. Access to the targets is granted if the password is acceptable, and access to the targets is refused if the password is unacceptable.

Description

CLAIM OF PRIORITY
This patent application is a continuation of and claims the benefit of and priority, under 35 U.S.C. §120, to U.S. application Ser. No. 12/053,228, filed on Mar. 21, 2008, and titled “Controlled Discovery of SAN-Attached SCSI Devices and Access Control Via Login Authentication”, which claims the benefit of and priority, under 35 U.S.C. §119(e), to U.S. Provisional Application No. 60/896,809, filed Mar. 23, 2007, and titled “Controlled Discovery of SAN-Attached SCSI Devices and Access Control Via Login Authentication”, all of which are incorporated by reference herein in their entirety for all purposes.
BACKGROUND
Storage routers allow access to logical units via a mapping mechanism. Under this technique, the client's identification is used to determine whether access to a particular logical unit may be granted. This mapping scheme is implemented for each command from a particular client. The mapping technique is required since a single target was provided to a client logging into the system. The target housed zero or more logical units that the client was allowed access to. As the login permitted access to the storage appliance but did not control access to the logical units, the mapping technique was implemented.
Access control using mapping techniques requires the storage appliance to have knowledge of the identity of all clients. As the number of logical units and clients increases, the mapping becomes more complex and less efficient, especially when applied on a per command basis.
As a result, there is a need to solve the problems of the prior art to provide for a more efficient access control technique for a storage appliance.
SUMMARY
Broadly speaking, various embodiments described in the present disclosure fill these needs by providing a method and apparatus for efficiently accessing data on a storage area network. It should be appreciated that the various embodiments can be implemented in numerous ways, including as a process, an apparatus, a system, or a device. The various embodiments are described below.
In one embodiment, a method for accessing data in a storage area network is to provided. The method initiates with receiving a request for a list of targets on the storage area network. All the targets on the storage area network are exposed to the requestor and authentication requiring a password is requested from the requestor to grant access to the targets on the storage are network. Access to the targets is granted if the password is acceptable, and access to the targets is refused if the password is unacceptable.
Other aspects and advantages of embodiments described herein will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating by way of example several principles.
BRIEF DESCRIPTION OF THE DRAWINGS
Several embodiments described in the present disclosure will be readily understood by the following detailed description in conjunction with the accompanying drawings, and like reference numerals designate like structural elements.
FIG. 1 is a simplified schematic diagram illustrating iSCSI access control in accordance with one embodiment described in the present disclosure.
FIG. 2 is a simplified schematic diagram illustrating a storage device interfacing with a number of clients in accordance with one embodiment described in the to present disclosure.
FIG. 3 is a simplified schematic diagram illustrating further details of storage appliance in accordance with one embodiment described in the present disclosure.
FIG. 4 is a simplified schematic diagram illustrating the discovery domains within a storage appliance in accordance with one embodiment described in the present disclosure.
FIG. 5 is a simplified schematic diagram illustrating the method operations for a control discovery access in accordance with one embodiment described in the present disclosure.
 DETAILED DESCRIPTION
Several embodiments described herein include an apparatus and method for providing a controlled discovery mechanism that reduces the workload of a storage client. It will be obvious, however, to one skilled in the art, that some embodiments described herein may be practiced without some or all of these specific details. In other instances, well known process operations have not been described in detail in order not to unnecessarily obscure various embodiments described in the present disclosure.
Conventional computing devices, such as computer work stations, generally access data through network interconnections to storage area networks. Network interconnects enable access for a large number of computing devices to data storage on a remote network server. The remote network server provides file systems structure, access control, and other miscellaneous capabilities that include the network interface. Access to data of the storage area network is through network protocols that the server must translate into low level requests to the storage device. A work station with access to the server must translate its file system protocols into network protocols that are used to communicate with the server. Consequently, from the perspective of a work station or other computing device, seeking to access such server data is much slower than access to data on a local storage device. The embodiments described herein provide a more efficient technique for accessing data through network interconnections.
The embodiments described herein provide an access control mechanism invoked during the establishment of a relationship between a client and the storage appliance. Under the access control mechanism there are no further access controls or checks. In one embodiment, each logical unit of the storage appliance is exposed as an independent target. The access control mechanism uses a shared secret for access to each logical unit and does not rely on knowledge of the client's identification. In essence, a client knowing the shared secret, will be granted access to a corresponding logical unit, irrespective of whether the client is known or unknown. As the storage appliance only needs to verify that the client knows the secret for the specific target or logical unit, there is no need for any knowledge of the client and the mapping table. In addition, under the embodiments described herein, the need for access control to be tested on each command is eliminated. The controlled discovery method also reduces the workload of the storage client during establishment and maintenance of connections to network devices, as each target discovered is intended for the client and there are no records that need to be filtered or otherwise discarded as irrelevant. This, in turn, reduces network traffic by limiting the amount of discovery information transferred from the broker of that information. Furthermore, the embodiments described herein place no additional burden on storage clients as discussed in more detail below.
FIG. 1 is a simplified schematic diagram illustrating iSCSI access control in accordance with one embodiment described in the present disclosure. Storage appliance 104 is in communication with hosts 100 a and 100 b over a storage area network. Hosts 100 a and 100 b may also be referred to as work stations or clients. Within each host 100 a and 100 b corresponding iSCSI initiator software exists thereon. The iSCSI initiator code 102 a and 102 b of the corresponding iSCSI initiator software will request access to certain volumes of storage pool 106. One skilled in the art will appreciate that if host 1-100 a or host 2-100 b sees a certain disc the corresponding host believes that it owns the disc exclusively. If nothing prevents two hosts from accessing the same disc in the same area, corruption may occur. In order to prevent corruption, access controls are provided as discussed further herein. Within storage appliance 104, storage pool 106 having volumes 106 a and 106 b, and access controls 110 a and 110 b, as well as targets 108 a and 108 b are provided. One skilled in the art will appreciate that volumes 106 a and 106 b are exposed as iSCSI targets 108 a and 108 b, respectively. Access controls 110 a and 110 b inform a corresponding initiator what that initiator can access in order to prevent access to unauthorized data. In essence, access controls 110 a and 110 b provide a list of iSCSI initiators that can access the targets and there is one access control for each target. In one embodiment, the list is a table of iSCSI qualified names (IQN), each of which is a globally unique identifier of the iSCSI initiator.
FIG. 2 is a simplified schematic diagram illustrating a storage device interfacing with a number of clients in accordance with one embodiment described in the present disclosure. Storage appliance 104 is an apparatus with network interfaces 120 a through to 120 c, data path 124, and storage interfaces 122 a and 122 b. Network interfaces 120 a through 120 c are in communication with hosts 100 a through 100 c. Hosts 100 a through 100 c are provided access to storage devices, which may be virtual or physical, through the corresponding network interface, data path 124 and storage interface. Storage interfaces 122 a and 122 b may connect appliance 104 to physical storage devices, e.g., discs or RAID array devices. Data path 124 performs a number of functions including implementing layers of storage transport protocols, such as Ethernet, IP, TCP, iSCSI, FC layers 1-4, and ULP, target application layer protocols, such as those defined in SCSI application layer specifications, and translating storage requests to and from storage interfaces 122 a and 122 b.
FIG. 3 is a simplified schematic diagram illustrating further details of storage appliance in accordance with one embodiment described in the present disclosure. Storage appliance 104 includes targets 108 a through 108 b which would be exposed to an initiator of FIG. 1. With each target 108 a through 108 d, a logical unit number (LUN) 130 a through 130 d is associated with each corresponding target. In one embodiment, storage appliance 104 is configured to present independent logical devices to the storage network via the network interfaces. Each logical device or volume appears in the storage network as an independent device. In order to access the associated storage, the storage clients perform a log-in or establish a relationship with each independent device. In the embodiments described below, a methodology is provided for the storage clients to access storage devices. In one embodiment, the storage appliance is configured such that only targets which the host initiator should be accessing are presented during discovery actions requested by the host. In another embodiment, storage appliance 104 maintains sufficient information about a target's, i.e., logical devices, and the intended clients or hosts for each target. As described above, this may be accomplished through the access control lists referred to in FIG. 1. The information within the access control list is used to register discovery information with discovery information brokers which may exist on the storage appliance or other storage network entity, in one embodiment. A Discovery Information Broker is an agent on the storage area network that presents discovered logical units to clients that have initiated a discovery request, in one embodiment. Changes to device configuration on the storage appliance will lead to an automatic update of registered information available by all discovery mechanisms. In this embodiment, the storage appliance is the agent of this update.
Two discovery mechanisms are presented herein for the iSCSI transport protocol in accordance with one embodiment described in the present disclosure. In one embodiment, the iSCSI discovery session is available to any storage client which knows the address of and has a physical path to any of the network interfaces on the storage controller. The discovery session requires the client to supply its identification. The client also requests a list of names and addresses of all targets on the storage appliance through the corresponding initiator. The iSCSI protocol specifies that the target is required to supply a list of all targets, all of which the initiator is authorized to access. In one embodiment, the storage appliance operates with no access controls based on the identity of the client, as all clients are effectively authorized to access all targets. In this embodiment, the intended client information is used to filter the list of targets returned to be only those that have been declared for use by the identified client.
FIG. 4 is a simplified schematic diagram illustrating the discovery domains within a storage appliance in accordance with one embodiment described in the present disclosure. Storage appliance 104 includes discovery domains 150 a through 150 d. It should be appreciated that a discovery domain is an object type defined and used to limit the information supplied to clients, which are referred to as initiator nodes. In one embodiment, discovery domains may be grouped together in a discovery domain set. Storage appliance 104 registers a discovery domain set for the appliance and a discovery domain for each target. As illustrated in FIG. 4, a discovery domain 150 a through 150 d corresponds with a respective target node 1-4. In addition, each discovery domain 150 a through 150 d registers an initiator node for each client it is intended to use. That is, initiator node 1 is allowed access to target node 1, target node 2, and target node 3. Initiator node 2 is allowed access to target node 3 while initiator node 3 is allowed access to target node 3 and target node 4. It should be noted that iSNS is a protocol designed to maintain and query a repository of target information for use by storage clients. In this embodiment, the storage appliance registers its target's names and addressing information with the iSNS server. Storage clients query this server to gain this information. This embodiment requires that the iSNS server is configured to allow DD/DDS modification by target nodes. The storage appliance can then register a DDS for the appliance, and a DD for each target. The storage appliance also registers an initiator node for each client in the DD of each target the client is intended to use.
In another embodiment, an access control mechanism that denies access to targets for which the client has not been configured to access is provided. It should be appreciated that the transport protocol used to access the targets must use connections which begin with a log-in procedure. The log-in procedure supports an authentication scheme in one embodiment. Each target on the storage appliance is configured to demand an authentication phrase. For example, iSCSI requires support for the challenge handshake authentication protocol (CHAP). The CHAP protocol requires a user name, which may be a target IQN and a secret, i.e., password. This storage appliance will only accept user name/secret pairs which are configured solely for the use of the target being logged into. In other words, the secret is uniquely indexed by each target-name/user name pair. In one embodiment, the user name may be set to the target. This reduces the information a client needs to retain as the target name in this secret. For example, if the target IQN 1995-12.com.adaptec:0fea3d.20070213133015.disc2 is being accessed, the CHAP secret associated with user name IQN.1995-12.com.adaptec:0fea3d.20070213133025.disc3 would not be accepted. If the host is unable to be authenticated, then the host is effectively denied access. In addition, once a client successfully logs in there are no further access checks needed for the duration of the connection. Thus, the access control mechanism presented herein is invoked during the establishment of a relationship between the client and the storage. Once this relationship is established, there are no further access controls or checks. With regard to earlier transport protocols having naming and addressing limitations with forced implementers to present a single target which the clients logged onto. The target then has zero or more logical units which each client may be allowed to access. The login described herein permits access to the storage appliance, (specifically one of its ports) but does not control access to the logical units, hence the need for a mapping technique. The method defined herein alters the use of the previous mechanisms to provide access control without knowledge of the identity of the client. That is, access control using mapping techniques requires the storage appliance to have prior knowledge of the identity of all clients. The use of a shared secret removes that requirement. Instead, the storage appliance only needs to verify the client knows the secret for the specific target. The storage appliance no longer needs any knowledge of the identity of the client.
FIG. 5 is a simplified schematic diagram illustrating the method operations for control discovery access in accordance with one embodiment described in the present disclosure. The method initiates with operation 200 where a host requests a list. With reference to FIG. 1, the host may request a list through an iSCSI initiator in one embodiment. In operation 202, a storage pool is created for particular volumes on a storage device, as illustrated in FIG. 1 in on exemplary embodiment. In operation 204 an initiator enables certain targets to be viewed. In one embodiment, the targets that are viewed are accessed through a login procedure that supports authentication as described above. In operation 206, authentication of the requestor requires the requestor to provide a username and password to the storage device in order to gain access to the viewed targets. The initiator accesses those targets through the successful authentication and password scheme described herein as specified in operation 208. Thus, through the above described controlled access mechanism the storage appliance verifies that the client knows the secret/password without knowledge of the client and the need for the mapping table is eliminated.
With the above embodiments in mind, it should be understood that several embodiments described herein may employ various computer-implemented operations involving data stored in computer systems. These operations are those requiring physical manipulation of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. Further, the manipulations performed are often referred to in terms, such as producing, identifying, determining, or comparing.
Any of the operations described herein that form part of several embodiments are useful machine operations. Some embodiments described in the present disclosure also relate to a device or an apparatus for performing these operations. The apparatus may be specially constructed for the required purposes, or it may be a general purpose computer selectively activated or configured by a computer program stored in the computer. In particular, various general purpose machines may be used with computer programs written in accordance with the teachings herein, or it may be more convenient to to construct a more specialized apparatus to perform the required operations.
Various embodiments described in the present disclosure can also be embodied as computer readable code on a computer readable medium. The computer readable medium is any data storage device that can store data which can be thereafter be read by a computer system. Examples of the computer readable medium include hard drives, network attached storage (NAS), read-only memory, random-access memory, CD-ROMs, CD-Rs, CD-RWs, magnetic tapes, and other optical and non-optical data storage devices. The computer readable medium can also be distributed over a network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, it will be apparent that certain changes and modifications may be practiced within the scope of the appended claims. Accordingly, the present embodiments are to be considered as illustrative and not restrictive, and the embodiments are not to be limited to the details given herein, but may be modified within the scope and equivalents of the appended claims.

Claims (20)

The invention claimed is:
1. A system comprising:
a target device; and
a storage appliance coupled to the target device, the storage appliance including:
a network interface for receiving a request from one of a plurality of client devices to access the target device;
a storage interface for accessing data from the target device; and
a datapath for implementing a storage transfer protocol to facilitate transfer of data between the client device and the target device, wherein the storage appliance is defined to determine which of the client devices has access to the target device based on a password, wherein to determine which of the client devices has access to the target device, the storage appliance is configured to determine whether the request includes a name of the target device and is defined to authenticate the password within the request without determining an identity of the one of the client devices, wherein the storage appliance is further defined to allow access to the target device upon determining that the request includes the name of the target device and that the password has been authenticated and without determining the identity of the one of the client devices.
2. The system of claim 1, wherein the target device includes a logic device, wherein the network interface is a medium for presenting the logical device to a storage area network.
3. The system of claim 1, wherein the request is generated from an iSCSI initiator code.
4. The system of claim 1, wherein the request is received after another request for a list of target devices on a storage area network is received.
5. The system of claim 1, wherein the target device includes a storage device, wherein the storage device is virtual or physical.
6. The system of claim 1, wherein the one of the client devices comprises a work station or a host device.
7. The system of claim 1, wherein the storage interface is configured to send the request to the data path for application of the storage transfer protocol.
8. The system of claim 1, wherein the storage transfer protocol comprises Ethernet, IP, TCP, iSCSI, FC layers 1-4, or ULP.
9. The system of claim 1, wherein the data path is configured to apply a target application layer protocol, wherein the target application layer protocol is defined in SCSI application layer specifications.
10. The system of claim 1, wherein the name includes an iSCSI qualified name (IQN) name.
11. The system of claim 1, wherein the password is a part of a challenge handshake authentication protocol (CHAP).
12. The system of claim 1, wherein the storage appliance is further defined to deny access to the target device upon determining that the password has not been authenticated.
13. The system of claim 1, wherein the storage appliance is configured to allow access to the target device without utilizing mapping techniques that use the identity of the one of the client devices.
14. The system of claim 1, wherein the password is uniquely indexed by the name of the target device.
15. The system of claim 1, wherein the target device comprises a storage device, wherein the storage device includes a disc or a RAID array device.
16. The system of claim 1, wherein the identity of the one of the client devices comprises an iSCSI qualified name (IQN) name of the one of the client devices.
17. A method comprising:
receiving a request from one of a plurality of client devices to access a target node;
determining which of the client devices has access to the target node based on a password, wherein said determining which of the client devices has access to the target node includes determining whether the request includes a name of the target node and whether the password of the request has been authenticated without determining an identity of the one of the client devices; and
allowing access to the target node upon determining that the request includes the name of the target node and that the password has been authenticated and without determining the identity of the one of the client devices.
18. The method of claim 17, further comprising denying access to the target node upon determining that the password has not been authenticated.
19. The method of claim 17, wherein allowing the access to the target node is performed without utilizing mapping techniques that use the identity of the one of the client devices.
20. A non-transitory computer-readable storage medium with an executable program stored thereon, wherein the program instructs a computer to perform the following operations:
receiving a request from one of a plurality of client devices to access a target node;
determining which of the client devices has access to the target node based on a password, wherein said determining which of the client devices has access to the target node includes determining whether the request includes a name of the target node and whether the password of the request has been authenticated without determining an identity of the one of the client devices; and
allowing access to the target node upon determining that the request includes the name of the target node and that the password has been authenticated and without determining the identity of the one of the client devices.
US14/090,880 2007-03-23 2013-11-26 Controlled discovery of SAN-attached SCSI devices and access control via login authentication Active 2029-07-16 US9560039B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/090,880 US9560039B2 (en) 2007-03-23 2013-11-26 Controlled discovery of SAN-attached SCSI devices and access control via login authentication

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US89680907P 2007-03-23 2007-03-23
US12/053,228 US8627418B2 (en) 2007-03-23 2008-03-21 Controlled discovery of san-attached SCSI devices and access control via login authentication
US14/090,880 US9560039B2 (en) 2007-03-23 2013-11-26 Controlled discovery of SAN-attached SCSI devices and access control via login authentication

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/053,228 Continuation US8627418B2 (en) 2007-03-23 2008-03-21 Controlled discovery of san-attached SCSI devices and access control via login authentication

Publications (2)

Publication Number Publication Date
US20140090043A1 US20140090043A1 (en) 2014-03-27
US9560039B2 true US9560039B2 (en) 2017-01-31

Family

ID=40364064

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/053,228 Active 2031-07-22 US8627418B2 (en) 2007-03-23 2008-03-21 Controlled discovery of san-attached SCSI devices and access control via login authentication
US14/090,880 Active 2029-07-16 US9560039B2 (en) 2007-03-23 2013-11-26 Controlled discovery of SAN-attached SCSI devices and access control via login authentication

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/053,228 Active 2031-07-22 US8627418B2 (en) 2007-03-23 2008-03-21 Controlled discovery of san-attached SCSI devices and access control via login authentication

Country Status (1)

Country Link
US (2) US8627418B2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8528041B1 (en) 2008-11-07 2013-09-03 Sprint Communications Company L.P. Out-of-band network security management
IN2013DE02846A (en) * 2013-09-26 2015-04-03 Emulex
CN106776094B (en) * 2016-12-12 2020-02-21 郑州云海信息技术有限公司 Tgtd service method, device and client
CN107180172A (en) * 2017-04-19 2017-09-19 上海海加网络科技有限公司 A kind of IPSAN access control methods and device based on USBKey digital certificate authentications

Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20050091333A1 (en) * 2003-10-23 2005-04-28 Ikuko Kobayashi Computer system that a plurality of computers share a storage device
US20050193181A1 (en) * 2004-02-26 2005-09-01 Yasunori Kaneda Data migration method and a data migration apparatus
US20050216767A1 (en) * 2004-03-29 2005-09-29 Yoshio Mitsuoka Storage device
US20050216668A1 (en) * 2004-03-29 2005-09-29 Hitachi, Ltd. Mode device, administrative server, routing method and authentication method
US20060053438A1 (en) * 2004-09-03 2006-03-09 Kabushiki Kaisha Toshiba Signal processing device and method of controlling the same
US20060064560A1 (en) * 2004-09-22 2006-03-23 Hitachi, Ltd. Storage system and storage control method
US20060155837A1 (en) * 2005-01-13 2006-07-13 Ikuko Kobayashi Diskless computer operation management system
US20060174003A1 (en) * 2005-01-31 2006-08-03 Wilson Christopher S Access control using file allocation table (FAT) file systems
US20060221985A1 (en) * 2005-04-01 2006-10-05 Cisco Technology, Inc. iSCSI and fibre channel authentication
US20070038749A1 (en) * 2005-07-29 2007-02-15 Broadcom Corporation Combined local and network storage interface
US7188225B1 (en) * 2003-12-05 2007-03-06 Applied Micro Circuits Corporation Storage system with disk drive power-on-reset detection
US20070143583A1 (en) * 2005-12-15 2007-06-21 Josep Cors Apparatus, system, and method for automatically verifying access to a mulitipathed target at boot time
US20070143611A1 (en) * 2005-12-15 2007-06-21 Arroyo Jesse P Apparatus, system, and method for deploying iSCSI parameters to a diskless computing device
US20080005565A1 (en) * 2006-06-29 2008-01-03 Kenta Shiga Computer system and method of updating authentication information of computer system
US20080209196A1 (en) * 2007-02-23 2008-08-28 Hernandez Carol B Method to Enable Firmware to Boot a System from an ISCSI Device
US20090046858A1 (en) * 2007-03-21 2009-02-19 Technology Properties Limited System and Method of Data Encryption and Data Access of a Set of Storage Devices via a Hardware Key
US20090222896A1 (en) * 2005-03-10 2009-09-03 Nippon Telegraph And Telephone Corporation Network system, method for controlling access to storage device, management server, storage device, log-in control method, network boot system, and unit storage unit access method

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080244695A1 (en) * 2000-06-01 2008-10-02 Jong-Sung Lee Total system for preventing information outflow from inside
US7043760B2 (en) * 2000-10-11 2006-05-09 David H. Holtzman System and method for establishing and managing relationships between pseudonymous identifications and memberships in organizations
TWI257058B (en) * 2000-11-21 2006-06-21 Ibm Anonymous access to a service
JP3972683B2 (en) * 2002-03-01 2007-09-05 ソニー株式会社 Cut list generation system, center server, advertisement production terminal device, computer program, storage medium, and center server cut list generation method.
US7507376B2 (en) * 2002-12-19 2009-03-24 3M Innovative Properties Company Integrated sample processing devices
JP4438582B2 (en) * 2004-09-22 2010-03-24 株式会社日立製作所 Data migration method
JP4699768B2 (en) * 2005-01-26 2011-06-15 株式会社日立製作所 Storage system that distributes access load
US8086760B1 (en) * 2005-09-29 2011-12-27 Emc Corporation Managing communications connections with data storage systems
US20080147821A1 (en) * 2006-12-19 2008-06-19 Dietrich Bradley W Managed peer-to-peer content backup service system and method using dynamic content dispersal to plural storage nodes

Patent Citations (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149869A1 (en) * 2002-02-01 2003-08-07 Paul Gleichauf Method and system for securely storing and trasmitting data by applying a one-time pad
US20050091333A1 (en) * 2003-10-23 2005-04-28 Ikuko Kobayashi Computer system that a plurality of computers share a storage device
US7188225B1 (en) * 2003-12-05 2007-03-06 Applied Micro Circuits Corporation Storage system with disk drive power-on-reset detection
US20050193181A1 (en) * 2004-02-26 2005-09-01 Yasunori Kaneda Data migration method and a data migration apparatus
US20050216767A1 (en) * 2004-03-29 2005-09-29 Yoshio Mitsuoka Storage device
US20050216668A1 (en) * 2004-03-29 2005-09-29 Hitachi, Ltd. Mode device, administrative server, routing method and authentication method
US20060053438A1 (en) * 2004-09-03 2006-03-09 Kabushiki Kaisha Toshiba Signal processing device and method of controlling the same
US20060064560A1 (en) * 2004-09-22 2006-03-23 Hitachi, Ltd. Storage system and storage control method
US20060155837A1 (en) * 2005-01-13 2006-07-13 Ikuko Kobayashi Diskless computer operation management system
US20060174003A1 (en) * 2005-01-31 2006-08-03 Wilson Christopher S Access control using file allocation table (FAT) file systems
US20090222896A1 (en) * 2005-03-10 2009-09-03 Nippon Telegraph And Telephone Corporation Network system, method for controlling access to storage device, management server, storage device, log-in control method, network boot system, and unit storage unit access method
US20060221985A1 (en) * 2005-04-01 2006-10-05 Cisco Technology, Inc. iSCSI and fibre channel authentication
US20070038749A1 (en) * 2005-07-29 2007-02-15 Broadcom Corporation Combined local and network storage interface
US20070143583A1 (en) * 2005-12-15 2007-06-21 Josep Cors Apparatus, system, and method for automatically verifying access to a mulitipathed target at boot time
US20070143611A1 (en) * 2005-12-15 2007-06-21 Arroyo Jesse P Apparatus, system, and method for deploying iSCSI parameters to a diskless computing device
US20080005565A1 (en) * 2006-06-29 2008-01-03 Kenta Shiga Computer system and method of updating authentication information of computer system
US20080209196A1 (en) * 2007-02-23 2008-08-28 Hernandez Carol B Method to Enable Firmware to Boot a System from an ISCSI Device
US20090046858A1 (en) * 2007-03-21 2009-02-19 Technology Properties Limited System and Method of Data Encryption and Data Access of a Set of Storage Devices via a Hardware Key

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Microsoft, "Manage iSCSI Security" Aug. 22, 2005, pp. 1-2. *

Also Published As

Publication number Publication date
US8627418B2 (en) 2014-01-07
US20140090043A1 (en) 2014-03-27
US20090049535A1 (en) 2009-02-19

Similar Documents

Publication Publication Date Title
US8346952B2 (en) De-centralization of group administration authority within a network storage architecture
US7454795B2 (en) Disk control unit
US7392291B2 (en) Architecture for providing block-level storage access over a computer network
US7260636B2 (en) Method and apparatus for preventing unauthorized access by a network device
US7676564B2 (en) Managing stored data on a computer network
JP3745961B2 (en) Method and apparatus for authenticating a connection to a storage system connected to a network
JP3779154B2 (en) Method and apparatus for providing data management of a storage system connected to a network
US7134138B2 (en) Methods and apparatus for providing security for a data storage system
US7219151B2 (en) Computer system that enables a plurality of computers to share a storage device
US20080022120A1 (en) System, Method and Computer Program Product for Secure Access Control to a Storage Device
US7584272B2 (en) Method and apparatus for fully automated iSCSI target configuration
US20040236745A1 (en) Distributed filesystem network security extension
EP1880326A2 (en) Cifs for scalable nas architecture
JPH1074158A (en) Dynamic certifying method and device for client of file system of network
JP2003006048A (en) Storage system authenticating host computer
US9560039B2 (en) Controlled discovery of SAN-attached SCSI devices and access control via login authentication
JP2007102761A (en) System and method for limiting access to storage device
CN101764808A (en) Authentication processing method and system for automatic login as well as server
JP4948938B2 (en) Method and apparatus for authorizing cross-partition commands
US7606917B1 (en) Method, apparatus and system for principle mapping within an application container
US7577742B1 (en) Account creation method and apparatus
US8145826B2 (en) Method and system for providing data accessibility and interlinks between a user and a storage device
US20120060206A1 (en) ROLED-BASED ACCESS CONTROL METHOD APPLICABLE TO iSCSI STORAGE SUBSYSTEM

Legal Events

Date Code Title Description
AS Assignment

Owner name: PMC-SIERRA US, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KALMAN, DEAN;DOLECHECK, BRETT;REEL/FRAME:032214/0612

Effective date: 20140131

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., NEW YORK

Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:MICROSEMI STORAGE SOLUTIONS, INC. (F/K/A PMC-SIERRA, INC.);MICROSEMI STORAGE SOLUTIONS (U.S.), INC. (F/K/A PMC-SIERRA US, INC.);REEL/FRAME:037689/0719

Effective date: 20160115

AS Assignment

Owner name: MICROSEMI STORAGE SOLUTIONS (U.S.), INC., CALIFORN

Free format text: CHANGE OF NAME;ASSIGNOR:PMC-SIERRA US, INC.;REEL/FRAME:040733/0392

Effective date: 20160115

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MICROSEMI STORAGE SOLUTIONS (U.S.), INC., CALIFORN

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:046251/0271

Effective date: 20180529

Owner name: MICROSEMI STORAGE SOLUTIONS, INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:MORGAN STANLEY SENIOR FUNDING, INC.;REEL/FRAME:046251/0271

Effective date: 20180529

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8